/**
 * Path Glob Matcher
 *
 * Provides glob pattern matching for policy.allowed_paths and policy.denied_paths.
 * Used by executors to enforce policy at tool invocation time.
 *
 * @module policy/path-matcher
 */
/**
 * Match a file path against a glob pattern.
 *
 * Supports:
 * - `*` matches any characters except `/`
 * - `**` matches any characters including `/` (recursive)
 * - `?` matches exactly one character except `/`
 * - Literal strings match exactly
 *
 * @param filePath - File path to check (use forward slashes)
 * @param pattern - Glob pattern to match against
 * @returns true if the path matches the pattern
 *
 * @example
 * ```ts
 * matchesPattern("src/foo/bar.ts", "src/**") // true
 * matchesPattern("src/foo.ts", "*.ts") // false (no directory match)
 * matchesPattern("foo.ts", "*.ts") // true
 * matchesPattern("src/test/foo.spec.ts", "**\/*.spec.ts") // true
 * ```
 */
export declare function matchesPattern(filePath: string, pattern: string): boolean;
/**
 * Check if a file path is allowed by policy.
 *
 * Rules:
 * 1. If denied_paths contains a matching pattern, DENY (denied takes precedence)
 * 2. If allowed_paths is empty, ALLOW (empty = allow all)
 * 3. If allowed_paths contains a matching pattern, ALLOW
 * 4. Otherwise, DENY
 *
 * @param filePath - File path to check
 * @param allowedPaths - Patterns where edits are allowed
 * @param deniedPaths - Patterns where edits are forbidden
 * @returns true if the path is allowed
 *
 * @example
 * ```ts
 * // Allow src/**, deny secrets/**
 * isPathAllowed("src/foo.ts", ["src/**"], ["secrets/**"]) // true
 * isPathAllowed("secrets/key.txt", ["src/**"], ["secrets/**"]) // false
 * isPathAllowed("docs/readme.md", ["src/**"], []) // false
 *
 * // Empty allowed = allow all (minus denied)
 * isPathAllowed("anywhere.txt", [], []) // true
 * isPathAllowed("secrets/key.txt", [], ["secrets/**"]) // false
 * ```
 */
export declare function isPathAllowed(filePath: string, allowedPaths: string[], deniedPaths: string[]): boolean;
/**
 * Filter a list of file paths by policy.
 *
 * @param filePaths - List of file paths to filter
 * @param allowedPaths - Patterns where edits are allowed
 * @param deniedPaths - Patterns where edits are forbidden
 * @returns Object with allowed and denied paths
 */
export declare function filterPathsByPolicy(filePaths: string[], allowedPaths: string[], deniedPaths: string[]): {
    allowed: string[];
    denied: string[];
};
/**
 * Get the reason why a path was denied.
 *
 * @param filePath - File path that was denied
 * @param allowedPaths - Patterns where edits are allowed
 * @param deniedPaths - Patterns where edits are forbidden
 * @returns Explanation of why the path was denied, or null if allowed
 */
export declare function getDenialReason(filePath: string, allowedPaths: string[], deniedPaths: string[]): string | null;